Answers to ‘Is the internet broken?’ and other Dyn DDoS questions

The massive DDoS attacks that took down internet address-translation service Dyn and its customers last week raise a lot of need-to-know questions about the overall security of online infrastructure and its performance.

While the attacks were ultimately mitigated and have subsided, the means for carrying out others are still viable and could crop up at any time with other targets. Here are some questions and answers that address what happened, how it happened, whether it could happen again and what the consequences might be.

Is the internet broken?

No, or at least not any more than it was before. It’s made up of a system of independent vendors and institutions working cooperatively to provide access to sites around the world. Each works in its own best interests but also cooperates with the others to make the system work for everybody. Like any such system, it’s got flaws and weaknesses. The Dyn attackers targeted some of these vulnerabilities and exploited them for maximum effect.

If just Dyn was attacked, why did it seem that the entire internet was broken?

Denial of service attacks can be very targeted – as narrow as a single server hosting a Website, for example – but their impact can be wide depending on what is targeted. In this case, it was Dyn’s DNS servers that do the job of turning human-language URLs into machine-readable IP addresses, thereby making sure internet communications are forwarded to the right computer on the internet. The attackers chose a target that offers services to a vast number of high-profile Web sites. By impairing Dyn, the attacks affected access to thousands of internet domains around the world, effectively blocking traffic to Web sites large and small that happened to be Dyn customers. To anyone trying to reach those customer sites, it seemed as if the internet was broken.

The attackers used tens of millions of internet-connected devices known as the internet of things (IoT) to carry out the attack. This takes advantage of the inherent weaknesses of a vast number of these devices, namely they use default or readily guessable passwords, have little or no security and are connected to the internet all the time. Think DVRs and cameras.

Why hasn’t this happened before?

It has.

Last month marked the grand debut of Mirai, a malware that helps round up IoT devices and infect them so they can carry out coordinated DDoS attacks of enormous scale. The first highly publicized such attack was targeted at a single site, that of Krebs on Security. It was perhaps the largest volume attack up to that time and showed just how powerful IoT botnets could be. Perhaps it was a deliberate, very public demonstration by its creators that these devastatingly powerful attacks were possible – a type of advertisement. Subsequent release of a version of Mirai source code showed that these attacks could be replicated, more or less at will.

So Mirai was responsible?

Certainly it played a large part, given the number of IoT machines Dyn says was involved – tens of millions. But analysts who observed the attacks say they included other devices that might have been grouped together in more traditional botnets. This suggests that the aggregate botnet was made up of DDoS-for-hire resources as opposed to a botnet compiled by a single actor to carry out just that actor’s bidding. That means others with the money to rent these for-hire services could do the same thing.

Why did it affect the East Coast of the U.S.?

The attacks came in two phases. The first was directed against three Dyn data centers in Chicago, New York and Washington, D.C. Since DNS lookups are done at the closest DNS server, those centers had a big impact on East Coast lookup requests. In the second phase, Dyn data centers around the globe were hit. This required considerable planning because it meant individual bots had to be making lookup requests from within the region served by each Dyn data center. So the attack force had to be divided into units that each had specific targets based on location.

Who did this?

Nobody’s sure.

Brian Krebs, who runs Krebs on Security, was the first hit by Mirai. He writes that a Dyn researcher collaborated with him on a blog post exploring the activities of DDoS mitigation firm BackConnect, Inc., and that both his own site and Dyn’s network were DDoSed. It would be peculiar if such a massive and sophisticated botnet were used for simple revenge when it could be used for much more lucrative purposes.

What devices were used?

A variety of them, but mainly security cameras, DVRs and routers. Some cameras made by Chinese firm Hangzhou Xiongmai Technology were involved. The company acknowledges the problem and is recalling some of its Web cams and issuing patches for others.

What should I do?

Individuals can be diligent about patching their IoT devices as security updates are issued. They can check whether passwords for their devices can be changed – some cannot – and change them to something besides the default. They can invest in better home firewalls and deny internet access to their IoT devices. Businesses hoping to keep their Web sites unaffected can use multiple DNS providers and detailed, written plans for what to do when they suffer such an attack. This should include who to call, what remediation steps to take and might call for tabletop exercises to practice the response and make sure the kinks are ironed out.

Could this happen again?

Absolutely. In fact many security experts who keep an eye on internet attacks predict that it’s just a matter of time.

Copyright 2016 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.